Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England

Two Tanks System V0V0 V2V2 V1V1 L Given a controller, verify that the tanks do not overflow and an equilibrium is reached.

Controllers PLC Languages Plants Differential Equations Control Loops Requirements Isabelle/HOL model verify properties and requirements The Idea ODE solverModel checker

HOL Version of higher order predicate logic designed for mechanical hardware verification. Polymorphic type system:   ,   ,  list, … Very expressive due to abstraction and quantification over functions. Widely studied and well understood logical systems. Methodology of embedding other formalisms in HOL, for example subsets of VHDL and Java.

Isabelle/HOL Popular, interactive HOL theorem proving assistant. Stresses logical safety - avoidance of inconsistency. Supports safe theory extension by definitions, data types, primitive recursive functions,... Comes with libraries: nat, int, real, set,.... Open and extendible Proof results from external tools can be imported via oracles.

Discrete Components in HOL f   stream = (    ) f ::  stream   stream causal f =  g.  n x. take n (f x) = g (take n x) stream operators, LTL operators transition systems, automata a  a  a  a  b  b  b  b 

Real Time clock = (    ) constant T :: clock T  T 1 T 2 T 3         Clocks are strictly monotonous, unbounded and start at 0. Conceptual clocks - cycle duration can vary

Function Blocks in HOL IEC PLC programming languages Structured Text (ST) and Sequential Function Charts (SFC) Function blocks written in an idealised subset of ST/SFC are mapped to automata in HOL. Mapping is similar to writing an interpreter in a functional programming language. Automata are not executed - size is not important as long as there is a compact representation in HOL. The HOL embedding defines a semantics.

A Verifiable Subset of ST Restriction to function block level: no configurations, resources, tasks or scheduling Omission of absolute, global, reference or retentive variables. Reactive model: actions are atomic Idealised data types: Int, Bool, String, records, arrays Disregard of implementation limitations. Function block invocation has no side effects!

Real Analysis in Isabelle/HOL Axiomatic type class V of finite-dimensional, normed vector spaces over  Limits, continuity, differentiation Type  flow = (    ) Differentiation operator D:: (  :: V ) flow   flow Lots of elementary lemmas and theorems. Currently no integration, exp, sqrt, ln, sin, … Currently 17 K theory files, 95 K proof code files.

Differential Systems in HOL A differential system (f,x 0 ) without input is a transition system  diffsys = ([ ,  ]   )   where f is continuous and  :: V. Behaviour is given by the solution of the associated differential equation bhv D ::  diffsys   flow bhv D (f, x 0 ) = (  g. g 0 = x 0  D g = f  g) where  is Hilbert’s choice operator. This does not mean we have solved the ODE.

Plants in HOL   F F ::  stream   flow causal F Transition systems (f,y 0 ) f :: [ ,  ]  , y 0 ::   a. continuous (f a) g 0 = bhv D (f (x 0), y 0 ) g (n+1) = bhv D (f (x (n+1), g n (T (n+1))) g 0 g 1 g 2 g 3 g 4

A Control Loop in HOL ttcttp B  B  B                4,4 tt = feedback (ttp  ttc)  4,4 0 ttc ::  stream  (B  B  B) stream ttp :: (B  B  B) stream  (        ) stream

Verification Use standard Isabelle proof strategies and tools: –induction, case distinctions, algebraic manipulation –conditional term rewriting –proof search algorithms Problems: –command line user interface –still relatively low level of proofs –real number library not well developed yet –algebraic manipulation often cumbersome –few decision procedures –analytically intractable systems remain intractable in HOL

What’s There HOL models of automata, stream operators, LTL operators, PLC language subsets, differential and hybrid systems. The beginnings of a HOL Real Analysis library. Small verification examples (standard function blocks, traffic light, container control) Strong points: –Compositional model of hybrid systems as causal functions on stream and flows. –Verification lemmas yield understanding –Trustworthiness of Isabelle/HOL

What’s Missing Models of bigger/ more faithful PLC language subsets More automation of HOL modelling and proofs Connection to other tools A better theorem prover front-end. Comprehensive Real Analysis and Control theory libraries Bigger examples Verification of function block libraries An answer to: What contribution can HOL make?

Questions or Comments?

Transition Systems in HOL ( ,  ) trsys = ([ ,  ]   )   bhv T :: [( ,  ) trsys,  stream ]   stream bhv T (f,y 0 ) x 0 = y 0 bhv T (f,y 0 ) x (n+1) = f (x n) (bhv T (f,y 0 ) x n) Theorem: causal bhv T

Automata in HOL ( , ,  ) automaton = ( ,  ) trsys  ([ ,  ]   ) bhv A :: [( , ,  ) automaton,  stream ]   stream bhv A (S,w) x n = w (x n) (bhv T S x n) Theorem: causal bhv A

SFC Controller S0 S1 S2 S3 S4R S S S Start T 1  S1.T T 2  S2.T Level  L  L   Level V0 V2 V1  bool  level time V0 V1 V2

Controller in HOL ttc_autom :: (   ,   , B  B  B) automaton ttc_autom = ((ttc_tf, (0,0)), ttc_outf ) ttc_tf :: [   ,    ]     ttc_tf (level, t) (step, t 0 ) = ifstep = 0 then (1,t) else ifstep = 1  T 1  t  t 0 then (2,t) else if step = 2  T 2  t  t 0 then (3,t) else if step = 3  Level  L  then (4,t) else if step = 4  Level  L  then (3,t) else (step, t 0 )

Controller in HOL (continued) ttc_outf :: [   ,    ]  B  B  B ttc_outf (level, t) (step, t 0 ) = ifstep = 0 then (False,False,False) else ifstep = 1 then (True, False, False) else if step = 2 then (True, True, False) else if step = 3 then (True, True, True) else (True, False, False)

General Hybrid Systems     g :: [  stream,  flow]   stream   flow causal g g